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CLAIMS 

1 . A method of scanning a computer file for virus infections comprising: 
a) identifying program code within the file 

5 b) identifying the compiler used to create the program code 

c) determining the firequency distribution of selected machine code instructions 
or sequences of such instructions; and 

d) flagging the file as possibly infected with a virus, or not, on liie basis of 
comparison of the determined frequency distribution with a fi:equency distribution of machine 

10 code instructions or sequences thereof expected for that connpiler. 

2. A method according to claim 1 wherein step c) comprises the step, working 
from an entry point of the program, of 

bl) tracing an execution graph by decoding successive instruction opcodes 
15 and updating frequency counts of decoded instructions as this tracing proceeds. 

3. A method according to claim 2 wherein when, during step bl), a subroutine 
call or conditional branch instruction is encountered, the destination of the call or branch 
instruction is pushed onto a stack, tracing proceeds into the subroutine call, and when a return 

20 instruction is encountered, the pushed location is popped from the stack and tracing continues 
with the following instructions, if any. 

4. A method according to claim 1, 2 or 3, wherein the program code is examined 
for opcode constructs, such as subroutine-call and subroutine-return, instruction sequences 

25 which are expected to occur a known ratio to each other and, if the ratio actually found differs 
from the known one by more than a certain amount, the file is flagged as possibly viral, or 
subject to further processing. 

5. A method according to any one of the preceding claims and including the step, 
30 where step d) flags the file as possibly viral, of comparing the program code with a list of 

, permissible exceptions and suppressing the flag if the program code is considered to be in the 
exception list. 
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6. A system for scanning a computer file for virus infections comprising: 

a) means for identifying program code within the file 

b) means for identifying the compiler used to create the program code 

c) means for determining the fi:equency distribution of selected machine code 
5 instructions or sequences of such instructions; and 

d) means for flagging the file as possibly infected with a virus, or not, on the 
basis of comparison of the determined firequency distribution with a fi:equency distribution of 
machme code instructions or sequences thereof expected for that compiler. 

10 7. A system according to claim 6 the firequency determinmg means c) includes 

tracing means, the tracing means being operable, working torn an entry point of the program, 
to trace an execution graph by decoding successive mstruction opcodes and updaimg 
fiiequency counts of decoded instructions as this tracing proceeds. 

15 8. A system according to claim 7 wherein the tracing means is operable such that 

when a subroutine call or conditional branch instruction is encountered, the destination of the 
call or branch instruction is pushed onto a stack, tracing proceeds into the subroutine call, and 
when a return instruction is encountered, the pushed location is popped from the stack and 
tracing continues with the following instructions, if any, 

20 

9. A system according to claim 6. 7 or 8, and including means for examining the 
program code for opcode constructs,, such as subroutine-call and subroutine-return, 
instruction sequences which are expected to occur a known ratio to each other and, if the ratio 
actually found differs from the known one by more than a certain amount, the file is flagged as 

25 possibly viral, or subject to further processing 

10. A system according to any one claims 6 to 9 and including means, operable 
when the means d) flags the file as possibly viral, to compare the program code with a list of 
permissible exceptions and suppressing the flag if the program code is considered to be in the 

30 exception Ust. 



